View Full Version : Bluehost cPanel Login Insecure!
So I was mucking about in the cPanel the other day and entered the "Edit Contact Details" area. After messing around with my settings, I hit the Bluehost logo up in the top-left, which brought me back to the home page.
When I re-entered my username and password, I saw something that caught my attention...
What the hell is this garbage, Bluehost? I'm not sure if any of you guys actually coded the login aspect of the website, but this is garbage. You should be ashamed that you're passing login information in the clear like that.
Everyone, be advised.
(I've edited the screenshot to obviously not show my password and domain, but I can reproduce this crap over and over again if need be)
12-30-2008, 08:16 AM
Who is "you guys?" This is a user-to-user forum, not a BH support site. BH employees occasionally wander in, but rarely.
You'll also find that if you access cPanel by any of the following methods, it's secure:
Go to http://www.bluehost.com instead of http://bluehost.com
Go to http://yourdomain.com/securecontrolpanel (use your own domain)
Go to https://box61.bluehost.com:2083/frontend/bluehost/index.html (use your own box#)
Ok, then consider this a message to alert the masses, my mistake.
Regardless, it's an issue that should be addressed.
12-30-2008, 08:23 AM
See my edited reply - it has been addressed. There's still one insecure path, but that's the result of some redirection to allow for both "www" and no "www" addresses, and you're not required to use it.
Understand that I'm not attacking anyone on this forum personally, it's just sloppy coding, though.
Thank you though for showing me the alternative links, though.
12-30-2008, 11:03 PM
I was surprised to see that BH doesn't use SSL/TLS to secure the login to cPanel. Not that I plan on doing anything about it, and I know no one here is in a position to fix it. I just thought it odd that they leave full account access of a paid customer open like that.
12-30-2008, 11:15 PM
As pointed out, there is a fully secure way to access the Control Panel (the http://yourdomain.com/securecontrolpanel path). This is something that people spend a lot of time fretting about, but which has not proven to be a genuine problem. Accounts that get hacked don't get hacked because of the lack of SSL on the cPanel login. They get hacked because of the massive security holes in the scripts that people run on their sites.
12-31-2008, 08:52 AM
As pointed out, there is a fully secure way to access the Control Panel (the http://yourdomain.com/securecontrolpanel path).
Cool ! I didn't know that. That's what I'm looking for (just joined the forum today) - so thanks.
BTW Did you read the stuff on slashdot
regarding Comodo (I believe this is the BlueHost SLL certificate authority)?
12-31-2008, 09:02 AM
This one is actually in the BH knowledgebase: http://helpdesk.bluehost.com/kb/index.php?x=&mod_id=2&id=185
That's not always true - there are a lot of things that aren't well-advertised, and can be tough to hunt down!
12-31-2008, 09:07 AM
Just tried that in
All responded with a 'Invalid Security Exception'
Seems BlueHost is itself not Comodo-certified but is running self-certified so it is it's own trusted root. Still makes me happier -- as based on my previous post I was concerned about Comodo!
12-31-2008, 09:10 AM
This one is actually in the BH knowledgebase: http://helpdesk.bluehost.com/kb/inde...od_id=2&id=185
And , oh dear!, I started there first (before the fourm) -- guess I need to upgrade my searching skills :-(
12-31-2008, 09:17 AM
My batting average for searching the KB is about .500, at best. It's a lot like trying to search a Microsoft KB or "help" document - it takes a combination of luck, and knowing the magic words to plug in.
12-31-2008, 03:38 PM
01-21-2009, 10:23 PM
when i try to login
appear this alet
I request pass & Login with new pass
But i coulden't login to my cpanel
01-22-2009, 03:30 PM
I'm finding all of this fascinating. I've read through all of the links in the previous posts. Thanks for giving me a lot to chew on.
01-24-2009, 08:06 AM
i ask from bh
I must set Max 15 digits But I was set 17 digits
Powered by vBulletin® Version 4.2.0 Copyright © 2013 vBulletin Solutions, Inc. All rights reserved.